CVE-2026-11058: Chrome Windows CredentialProvider Integer Overflow Privilege Escalation
Google Chrome on Windows contains an integer overflow vulnerability in its CredentialProvider component that could allow an attacker who has already compromised the browser's rendering engine to escalate their privileges to the operating system level. The attacker would need to serve a specially crafted webpage to trigger the flaw. While the Chromium project rates this as Medium severity, the CVSS assessment reflects HIGH risk due to the potential for complete system compromise once the renderer is already under attacker control.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-472
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Integer overflow in CredentialProvider in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform OS-level privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11058 is an integer overflow vulnerability (CWE-472) residing in Chrome's CredentialProvider subsystem on Windows. The flaw exists in versions prior to 149.0.7827.53. Exploitation requires two preconditions: first, the attacker must have already achieved code execution in the Chrome renderer process; second, the user must visit or be redirected to a malicious HTML page. The integer overflow allows the compromised renderer to bypass privilege boundaries and execute OS-level code with elevated privileges, effectively converting a sandbox escape into a full privilege escalation.
Business impact
For organizations where Chrome is a standard browser, this vulnerability represents a multi-stage attack chain that significantly amplifies risk. If an employee's renderer is compromised through a separate exploit or social engineering, this flaw becomes a direct pathway to OS-level compromise—potentially granting attackers domain admin rights, access to sensitive data stores, or persistence mechanisms. The HIGH CVSS score reflects the severity of the end state, though the attack requires prior renderer compromise. Businesses relying on browser sandboxing as a security boundary should treat this as a priority remediation.
Affected systems
Google Chrome on Microsoft Windows prior to version 149.0.7827.53 is affected. The vulnerability is specific to the Windows CredentialProvider implementation and does not affect Chrome on macOS, Linux, or other operating systems. Users on Windows who have not updated to 149.0.7827.53 or later remain at risk. Note that the vulnerability requires the renderer process to already be compromised, so systems running only recent versions of Chrome without prior exploitation are at lower immediate risk.
Exploitability
While the CVSS vector indicates relatively low attack complexity (AC:H), exploitation in practice requires a two-stage approach. An attacker must first compromise the renderer process through an independent vulnerability or social engineering, then deliver the malicious HTML page to trigger the integer overflow. The requirement for user interaction (UI:R) means the target must navigate to or be directed to a specific webpage. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not yet been widely documented. However, the attack chain is plausible for targeted campaigns.
Remediation
Immediate action: update Google Chrome to version 149.0.7827.53 or later on all Windows systems. Chrome's auto-update mechanism typically deploys patches within hours of release, but verification is recommended. For organizations using managed deployment, push the update through your standard patch management workflow. No workarounds exist for this vulnerability; patching is the only mitigation. Verify successful deployment by checking chrome://settings/help to confirm the running version.
Patch guidance
Google Chrome for Windows users should update to version 149.0.7827.53 or later. Most users will receive automatic updates; those on delayed channels should manually check chrome://settings/help or Settings > About Chrome to trigger an immediate check. System administrators managing Chrome Enterprise should use the policies (e.g., update_policy_override_platform_minimum) to ensure Windows machines receive the patch promptly. Testing in a non-production environment before broad rollout is recommended to verify compatibility, though Chrome patches are generally safe for immediate deployment.
Detection guidance
Monitor Chrome version compliance across Windows endpoints using your asset management or Mobile Device Management (MDM) tools. Organizations with Chrome Enterprise can query the reporting dashboard for devices still running pre-149.0.7827.53 versions. Endpoint Detection and Response (EDR) platforms should log any unusual privilege escalation attempts originating from Chrome processes (e.g., chrome.exe spawning child processes with elevated tokens). Look for suspicious HTML files delivered via email or web downloads that correlate with subsequent OS-level privilege escalation events. However, active exploitation in the wild is not yet confirmed, so detections may remain limited until the vulnerability is actively exploited at scale.
Why prioritize this
Although this vulnerability is rated HIGH in CVSS and resides in a widely used browser, its real-world risk is modulated by its two-stage attack requirement. Organizations should prioritize patching based on their exposure: (1) endpoints that run Chrome in high-risk environments (e.g., where users visit untrusted websites or receive targeted phishing) warrant immediate updates; (2) closed-environment or low-risk deployments can patch within normal maintenance windows; (3) the lack of KEV status suggests it is not yet being exploited at scale, so this is not a drop-everything emergency. Treat it as a high-priority but not critical patch.
Risk score, explained
The CVSS 7.5 HIGH score reflects the impact severity (HIGH confidentiality, integrity, and availability) and the attack vector (Network). However, the score is conditioned on the attacker already having code execution in the renderer. The Access Complexity (H) and User Interaction (R) requirements temper the score somewhat. In absolute terms, a fully patched Chrome user has very low risk; the risk tier only materializes if the renderer is first compromised by an unrelated vulnerability or social engineering. Security teams should contextualize the score within their threat model: if renderer-level compromises are unlikely in your environment, the practical risk is lower; if supply-chain or targeted attacks are a concern, prioritize accordingly.
Frequently asked questions
Do I need to update Chrome immediately, or can I wait for the regular update cycle?
If Chrome's auto-update is enabled (default), the patch should deploy within hours of release. If you are on a delayed channel, you can manually check for updates in Settings > About Chrome. For business environments, prioritize endpoints in high-risk use cases (open internet browsing, email access) within 1–2 weeks; lower-risk systems can follow normal patch windows. The vulnerability has not been publicly exploited at scale, so a brief delay is acceptable if you verify timely deployment.
This vulnerability requires the renderer to already be compromised. How likely is that?
Renderer compromises occur through unrelated Chrome vulnerabilities (patched frequently), watering-hole attacks, or social engineering. If users primarily access trusted internal sites and your network has anti-malware defenses, the renderer-compromise scenario is less likely. However, in environments where users browse the public web or receive targeted phishing, renderer compromise is a realistic threat. Treat this vulnerability as part of your defense-in-depth strategy: patch Chrome regularly and maintain additional controls (email filtering, EDR) to reduce the likelihood of renderer compromise in the first place.
Does this affect Chrome on macOS, Linux, or Chromebooks?
No. This vulnerability is specific to the Windows CredentialProvider component. Chrome on macOS, Linux, and Chromebooks is not affected. If your organization runs Chrome across multiple operating systems, Windows systems are the only priority for this CVE.
What should I do if I discover a user running an older version of Chrome?
Force an immediate update via your Chrome Enterprise policy or by restarting the device to trigger the auto-update process. If the user is currently browsing, they may resist a restart; communicate the urgency and coordinate a convenient time if possible. Verify the update completed by checking chrome://settings/help afterward. Investigate why the user's device was not already running the latest version—it may indicate a failure in your patch deployment process.
This analysis is based on publicly available vulnerability data as of the published date (2026-06-04). No active exploitation has been confirmed in CISA's Known Exploited Vulnerabilities catalog at the time of writing. Patch version numbers and CVSS scores are sourced from official vendor advisories; verify these details against your vendor's latest guidance before deployment. This explainer does not constitute legal advice or a guarantee of security. Organizations should conduct their own risk assessments, perform patch testing in non-production environments, and apply defense-in-depth strategies beyond patching alone. SEC.co makes no warranty as to the completeness or accuracy of this intelligence and recommends consulting directly with Google, Microsoft, and your security team for organization-specific guidance. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10015HIGHChrome WTF Integer Overflow RCE Vulnerability Analysis
- CVE-2026-10019HIGHChrome ANGLE Integer Overflow Enables Cross-Origin Data Leak
- CVE-2026-10921HIGHChrome Dawn Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-10924HIGHChrome Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-10963HIGHChrome V8 Integer Overflow RCE – Sandbox Escape Vulnerability
- CVE-2026-10964HIGHGoogle Chrome V8 Integer Overflow Remote Code Execution Vulnerability
- CVE-2026-10965HIGHChrome DevTools Integer Overflow Remote Code Execution